In reference to this Network Computing Report article titled "'Operation Shady Rat' Perpetrated Five Years Of Long-Term Attacks On Government, Enterprises"

The Cliff's Notes to the article is thus: it has been discovered that many countries and large corporations have been the target of long-term, concerted attacks. This information has been discovered through a long term research effort done by McAfee.

A quote from the article intrigued me (emphasis mine):

In a probe dubbed Operation Shady RAT (for Remote Access Tool),
researchers gained access to one of the attackers’ command and control
(C & C) servers and obtained detailed insight into the victims, the
information stolen, and the methods used.

McAfee has gained access to one specific Command & Control server used
by the intruders.

But the don't say how they gained access. Maybe it was after a legal seizure of hardware.

How would researchers gain control of an attacker's systems and not themselves have broken the law? Must they attain some kind of "warrant" or legal blessings on this kind of thing? Is it ever acceptable to penetrate an attacker's systems in the course of researching their behavior?

Unless there is a site user here with strong ties to McAfee, I suspect we can only speculate.
–
this.joshAug 3 '11 at 18:49

From one of the comments in Dmitri's blog I speculate that they did a 'white hat' hacking, in which a Judge/Police/FBI/whatever gave them permission to hack the server. This would be pretty much the same as a warrant to search someone's home.
–
AugustoAug 8 '11 at 11:00

@AviD: That's BS that you took answers from my question and closed my question. This is the question that should have been closed... Care to comment on your logic? Link to my question which resulted in 2 of the three answers below: security.stackexchange.com/questions/5905/…
–
blundersAug 8 '11 at 17:39

@Augusto My questions aren't specific to McAfee. They're generic. I just used the McAfee scenario as a real life example to kick the generic questions off.
–
WesleyAug 8 '11 at 18:02

Also, as a result of the merge, there was a bit of comment confusion. I thought gowenfawr and zedman9091's answers were directly made to mine - which they're not. My question is generic in nature and not specific to the McAfee incident. I was interested in a general sense how security professionals can gain access to an attacking machine.
–
WesleyAug 8 '11 at 18:09

3 Answers
3

C6C server are often servers that got hacked, not servers rented by the attacker.

Security support contracts

For public organisations there are often CERTs (computer emergency response team) responsible for them. For example there is the DFN Cert for all Germany universities. Large companies tend to have support contracts with companies specialized in security.

So after the security breach is noticed, the server may be turned over to the security organisation in order to do forensics: Learn how the attacker got in, try to estimate what damage they caused, to what data they had access, etc. Knowing the damage as good as possible, may be especially important in order to defend against being sued by customers.

This is the most common case. The wording is very similar to what our CERT said when they got handed a C&C server by an university some time ago: "The CERT gained access to a command and control server which collected a list of web addresses, usernames and passwords. As the domain of the following entries is within your responsibility please inform your users with the following account names that their computer is infected".

The security organisations obviously need to prevent drawing attention to their customers because it implies that the customer got successfully attacked.

Other means

The C&C might have been a honeypot, a server dedicated to being attacked. I think this is unlikely because it is said that the c&c server was active for years.

There might have been a court order to seizure the server. But if that was the case and the security company was called as expert witness, they would probably not be allowed to got the public.

The security company might have gotten unauthorized access. I consider this extremely unlikely because of the huge legal risk involved.

tl;dr

The company. which unwillingly hosted the C&C. most likely handed it over to their security consultants for damage assessment.

There has been a small but significant trend in which whitehat intrusion into or onto clearly malicious infrastructure has been treated as permissible, necessarily expedient, or - uh - "look-the-other-way-able".

We saw it several months ago when the US government took control of various domain names. I am aware of a couple incidents where respectable security professionals started playing who-controls-the-botnet-now with active malicious botnets. So I am comfortable speculating that McAfee made unauthorized access to a C&C node as a part of their investigation into a botnet. I've no hard data or proof; this is pure speculation.

You could have a really fascinating ethical discussion about it:

The attackers have no compunctions; a defender who ties their own hands is at a distinct disadvantage.

The contested servers are often owned by a 3rd party who is arguably criminally negligent; does that negligence erode their rights?

The contested servers are the Internet equivalent of a rabid dog, and IRL, the law sanctions killing of a dangerous animal, doesn't it?

I speculate that in the case of Shady RAT, someone decided to go for it, and the payoff was beyond what anyone could have hoped. (Logs back to 2006? Really?)

The official statement says, "McAfee has gained access to one specific Command & Control server used by the intruders." It would seem extremely likely that they were brought into the picture for analysis by someone with access to the C&C server considering the implications the alternative (McAfee turning black hat) would have to their company. If you take that as a working theory then you need to question why that relationship was not mentioned, just as you have.

A likely answer there is those folks asked McAfee for assistance as part of an official investigation. If that were the case then we have McAfee accusing China of state sponsored APT attacks based on another state providing them the data. The 'advanced' part of this APT includes a single server running for five years without clearing the incriminating logs.

Your question is an outstanding one. Sorry to only provide speculation but my guess is that all that will be available for the near term.